Share this story

In 2013, a National Security Agency contractor named Edward Snowden revealed US surveillance programs that involved the massive and warrantless gathering of Americans' electronic communications. Two of the programs, called Upstream and Prism, are allowed under Section 702 of the Foreign Intelligence Surveillance Act. That section expires at year's end, and President Donald Trump's administration, like his predecessor's administration, wants the law renewed so those snooping programs can continue.

That said, even as the administration seeks renewal of the programs, Congress and the public have been left in the dark regarding questions surrounding how many Americans' electronic communications have been ensnared under the programs. Congress won't be told in a classified setting either, despite repeated requests.

Rep. John Conyers, a Democrat from Michigan and member of the House Judiciary Committee, told a panel hearing last week that Congress needed the numbers to help it decide whether to reauthorize the programs.

"The members of this committee and the public at large require that estimate to engage in a meaningful debate," he said.

This isn't the first time lawmakers have been stonewalled on the issue. Sen. Ron Wyden, a Democrat from Oregon and a member of the Senate Intelligence Committee, had asked for the information in 2011, 2012, and 2014, and he's renewing the request again. Despite the lack of information, Congress has repeatedly renewed the programs even before Snowden revealed them.

"I and other members of Congress have been seeking an answer to this question since 2011. We posed the question again in the context of the reauthorization of Section 702. It is now central to the debate this year over the reauthorization of the program, which you have described as your 'top legislative priority,'" Wyden wrote in a letter to Daniel Coats, Trump's nominee for director of national intelligence.

Coats, however, has told Wyden he would "do everything I can" to "get you that number." However, Coats did not guarantee he would do it.

For its part, the Electronic Frontier Foundation is urging Congress to let the spy programs expire.

"We've long argued that the surveillance programs under Section 702 are not targeted, do not have sufficient oversight, and violate Fourth Amendment protections. That's why we’re calling on Congress to let the authority sunset," the EFF said.

One of the programs at issue, PRISM, authorizes the NSA to siphon bulk data from Apple, Facebook, Google, Microsoft, Yahoo, and other online companies, according to a classified PowerPoint presentation Snowden divulged. The other program at issue, Upstream, enables the NSA to monitor and copy traffic flowing through the Internet backbone.

All of this spying is supposed to target foreigners, but Americans' electronic communications are ensnared as well. The authorities call this "incidental" collection. Privacy advocates call it a backdoor to seize Americans' data without court warrants.

Still, US spies say they don't track the number of Americans caught in this dragnet, in part to protect Americans' privacy. Performing this task would require spies to de-anonymize phone numbers and IP addresses to determine whether they're American, according to April Doss, a former NSA lawyer who testified (PDF) before the House Judiciary Committee on March 1. As her testimony laid out:

A requirement to count the number of U.S. person communications that are incidentally acquired under Section 702 would require the Intelligence Community to conduct exhaustive analysis of every unknown identifier in order to determine whether they are being used inside or outside the U.S., and whether their users might be U.S. persons located anywhere in the world. NSA does not—nor should it—collect or maintain comprehensive directories of the communications identifiers used by U.S. persons. However, in order to perform a reliable count of U.S. person communications in 702 collection, the Intelligence Community would have to create and maintain precisely such a database. The very creation of these reference databases would constitute an unnecessary and unwarranted intrusion on the privacy of U.S. persons; without specific statutory authorization, it would likely also be unlawful, since it would be both intrusive and unrelated to any need for foreign intelligence gathering.22 Further, searching for U.S. person information would require intelligence agencies to divert scarce analyst time and computing resources away from intelligence activities in order to hunt for the communications of U.S. persons whose information is not related to an authorized intelligence need (and whose information would never be looked at by the government but for this requirement).

Section 702 of the Foreign Intelligence Surveillance Act, which authorizes the Upstream and Prism programs, expires December 31.

Share this story

David Kravets
The senior editor for Ars Technica. Founder of TYDN fake news site. Technologist. Political scientist. Humorist. Dad of two boys. Been doing journalism for so long I remember manual typewriters with real paper. Emaildavid.kravets@arstechnica.com//Twitter@dmkravets

If a government employee is not answering questions to the comittees regarding these issues, what measures can the comitties take to force an answer? Can they impeach, or compel testimony? Can they throw somebodies ass in jail until the question gets answered?

I would assume that they're collecting IP addresses along with this traffic. Couldn't that be used to generate at least a rough estimate of the number of US citizens targeted? Is there another way to generate a good estimate?

I would assume that they're collecting IP addresses along with this traffic. Couldn't that be used to generate at least a rough estimate of the number of US citizens targeted? Is there another way to generate a good estimate?

Number of traffic between IPs in the US and overseas may be a more accurate number. If indeed the subject of the surveillance are only foreigners.

If a government employee is not answering questions to the comittees regarding these issues, what measures can the comitties take to force an answer? Can they impeach, or compel testimony? Can they throw somebodies ass in jail until the question gets answered?

Nothing can be done because the intelligence services are in the privileged position of being able to sabotage anybody's political career. So everyone keeps going through the motions of simulating free will while actually only doing as they're told. And it will only get worse so brace for it.

If a government employee is not answering questions to the comittees regarding these issues, what measures can the comitties take to force an answer? Can they impeach, or compel testimony? Can they throw somebodies ass in jail until the question gets answered?

The American people don't know and don't care to know. John Conyers really need to focus on the things that matter, like stopping Detroit from sinking into the abyss; getting jobs for his constituents; lowering the amount of kids being born out of wedlock and preventing them from killing each other over trivial things like clothes and being disrespected.

I would assume that they're collecting IP addresses along with this traffic. Couldn't that be used to generate at least a rough estimate of the number of US citizens targeted? Is there another way to generate a good estimate?

You would need more then just IP's to make that determination - anyone with a VPN can have an American IP address, same with TOR exit nodes. This number would be completely useless. You'd have to cross reference the IP with a bunch of other data and that leads to a catch-22: you'd have to maintain a database of American data to be able to detect when you have American data so you can not keep it except what you have in your database of American data that you use to detect American data so you can not keep it.

Still, US spies say they don't track the number of Americans caught in this dragnet, in part to protect Americans' privacy. Performing this task would require spies to de-anonymize phone numbers and IP addresses to determine whether they're American, according to April Doss, a former NSA lawyer who testified (PDF) before the House Judiciary Committee on March 1.

This seems to imply that they're reading the request to "get the count of Americans monitored" extremely literally, interpreting it as "get the exact number of Americans".

The NSA has some very good mathematicians - they should easily be able to give a pretty highly accurate estimate using the sample data they already have from when they've de-anonymized targeted persons, +/-10%.

Still, US spies say they don't track the number of Americans caught in this dragnet, in part to protect Americans' privacy. Performing this task would require spies to de-anonymize phone numbers and IP addresses to determine whether they're American, according to April Doss, a former NSA lawyer who testified (PDF) before the House Judiciary Committee on March 1.

This seems to imply that they're reading the request to "get the count of Americans monitored" extremely literally, interpreting it as "get the exact number of Americans".

The NSA has some very good mathematicians - they should easily be able to give a pretty highly accurate estimate using the sample data they already have from when they've de-anonymized targeted persons, +/-10%.

This estimate I'm sure was rolling around in the head of someone at the table.

The whole point of the system is to provide information that they're requesting, literally how computers work.

Stonewalling Congress needs to be a good way to find an agency with out funding or mandate.

Instead it's more like Kanye stealing the mic at the grammys, but with more chest medals.

We should send them to Guantanamo Bay until they talk and cut their funding 50%.

The US Govt is supposed to work FOR US citizens. Something has gone wrong. People need to be held accountable.

Spying on everyone is NOT ok without an individual, specific, tied-to-location, warrant signed by a judge outside some secret court.

PERIOD.

The heads of these agencies knows if they ever say any number, that will be the end due to outrage. There is little to be gained, unless they are sent to prison. If I were a senator, I'd give immunity to some of the whistle blowers to find the truth. Give them a chance to testify about their bosses.

The American people don't know and don't care to know. John Conyers really need to focus on the things that matter, like stopping Detroit from sinking into the abyss; getting jobs for his constituents; lowering the amount of kids being born out of wedlock and preventing them from killing each other over trivial things like clothes and being disrespected.

I agree with a part of your sentiment but feel, maybe wrongly, that you are also hiding racism behind those words. The part that I agree with - most people don't care enough about spying programs or which 3 letter agency is scanning their ass. You can probably get 100 million Americans to sign a petition on facebook or twitter or your neighborhood supermarket and only because those are low investment options. There is nothing wrong with such an existential position; I am guilty of that for most part of the day. If the scanning keeps me "safe" and I have nothing to hide, why bother? Now, you will get a lot more people involved if such scanning led to prosecution for the little technical crimes we do every day of our life; until then this will continue if only with another name.

I would assume that they're collecting IP addresses along with this traffic. Couldn't that be used to generate at least a rough estimate of the number of US citizens targeted? Is there another way to generate a good estimate?

"Another way to generate a good estimate?" Certainly. Go to the US Census Bureau. They can get you real close. Or just google it. As of 2014, it was 318.4million

If they're scanning the backbone, AND checking the main sites people go to, that's pretty danged close to everybody.

I'm sure Feinstein has her rubber stamp out. There is no request from NSA/CIA that she doesn't love.

Grrrrrr...

Don't vote for her again, I know I won't.

Just got an email from Feinstein's office today with a laundry list of ways she is opposing Trump and his picks, no mention of national security issues. Im sure that Feinstein and the current Administration will come together on National Security - in their view its about "protecting American's" which I read as "covering my ass on my watch".

If a government employee is not answering questions to the comittees regarding these issues, what measures can the comitties take to force an answer? Can they impeach, or compel testimony? Can they throw somebodies ass in jail until the question gets answered?

I would assume that they're collecting IP addresses along with this traffic. Couldn't that be used to generate at least a rough estimate of the number of US citizens targeted? Is there another way to generate a good estimate?

We cannot provide an answer to your request, Senator, simply because we don't know the answer. Should we ever embark upon data analysis that would provide the answer you're seeking, such action would constitute an unnecessary and unwarranted intrusion on the privacy of U.S. persons; without specific statutory authorization, it would likely also be unlawful, since it would be both intrusive and unrelated to any need for foreign intelligence gathering.

And we don't want to act in any manner that may be regarded as unlawful ... unless Congress were to provide authorization for us to do so ...

Then there is the matter of resource allocation: current budgets constrain us from embarking upon such a program of data analysis, in terms of both the hardware and human resources that such a program would require.

Estimates on the additional funding that such a program would require have been developed, however these budgetary requirements cannot be released to Congress, as they are classified. Should Congress decide to provide both authorization and funding for such a program, we can advise on the number of zeros ( "0" ) that the funding authorization should include.

In summary, Senator, it would appear that "the ball is entirely in your court" so to speak ...

The evasiveness is deceptive in and of itself. When the NSA says it "would require the Intelligence Community to conduct exhaustive analysis of every unknown identifier in order to determine whether they are being used inside or outside the U.S." that's because they don't even count the data as "collected" unless an analyst looked at it. Recorded? Doesn't count. Searched by computer programs for keywords or pattern matching? Doesn't count. A human looked at it? Ok, that counts.

By this definition, they should be able to produce a deceptively low number, perhaps thousands to tens of thousands per year.

By our definition, which says if you put the data in your database and use it when running searches, that data has been collected, there's no doubt the number is nearly the same as the US population, discounting only people with no online presence (e.g. infants).

In any case, the fact that they have prevaricated about this for the past 6 years makes pretty clear that the answer will not look good. It's time to end these programs. If they want them renewed, the replacements will need real oversight.

The American people don't know and don't care to know. John Conyers really need to focus on the things that matter, like stopping Detroit from sinking into the abyss; getting jobs for his constituents; lowering the amount of kids being born out of wedlock and preventing them from killing each other over trivial things like clothes and being disrespected.